IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Andrew Gallagher <andrewg@andrewg.com> Thu, 02 March 2023 13:37 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE2D3C151AF6 for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 05:37:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAHb4XJSLnOU for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 05:37:17 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15369C152EE1 for <openpgp@ietf.org>; Thu, 2 Mar 2023 05:37:01 -0800 (PST)
Received: from [192.168.3.141] (ip-83-147-167-54.glw.metro.digiweb.ie [83.147.167.54]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id E05205F4E1 for <openpgp@ietf.org>; Thu, 2 Mar 2023 13:36:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677764219; bh=L2OPBWvhjUte1einzXMPC4w2ZzTEUkgKI8LUjnKNArM=; h=Date:To:References:From:Subject:In-Reply-To:From; b=fLXLm9rsd3ipwEeziEA4oAZNL33BOLbZFfat153TvQZDsHjNpXn1kJid2l/ojGbaL Ky53ewD/7OJpF8QGNTbHremWrfi943I+QezlYgmI/TB/P1Gjb++N+ZqmyawWVvI7nq /E8nilghBQxE1o8PFF26Vd0KHlnJqaKZnTwY3J5M1K7ogQIi+jEjkrfZsVP5JM97Eg Haa+vY1CDBbDso2q26y0mwMV4n7bzTXrMfjuF7GV/o6Z9BKFTE1f81EOABiEc7aZxl o4zeT3fiTc17cJe5fIiB/UyFBtcXn+MeXcuxAM+t3R9jCmZt8nq3jnRXUowpmr9V57 83MYCleKb0HFw==
Message-ID: <c8bc1904-dcaf-6ab9-1f16-85a0a2761c6f@andrewg.com>
Date: Thu, 02 Mar 2023 13:36:57 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.7.0
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net> <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com> <87a60vbi7n.fsf@europ.lan> <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com> <877cvzbet0.fsf@europ.lan>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <877cvzbet0.fsf@europ.lan>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/1570cQjuG2TYE_d9cOlhVgiCokk>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 13:37:22 -0000

On 02/03/2023 10:58, Justus Winter wrote:
> 
> RFC4880 failed to specify a lot of things.  I fear that if we enumerate
> all of them, and retroactively sanction lenient behavior, that a) we're
> going to be here until the end of time, and b) weaken the already weak
> requirements that RFC4880 failed to nail down.

My proposed wording as of 2023-02-28 did not weaken the requirements of 
RFC4880, it actually strengthened them by restricting the manner in 
which malformed signatures could be processed. But you didn't like that 
one either.

> I understand that this is precisely your point: if the spec would
> sanction lenient behavior in this case, then that may convince Proton to
> support lenient behavior in GopenPGP, and that would enable Hockeypuck
> to serve these signatures.

Yes. Because I don't believe that it is the role of keyservers to be 
enforcers in this particular matter. It is keyserver operators who are 
fielding complaints, not Github, and the answer "nothing we can do, 
Github is a dumpster fire, blame them" does not satisfy users who just 
want things to work. Inflexibility is valuable if you apply it 
consistently from the start so that deviations don't arise in the first 
place. If you start applying it after twenty years of effective 
liberalism, you're just breaking things that used to work.

Postel's law is flawed, of course. But criticisms of it are framed in 
the context of synchronous protocols, and continuous improvement. You 
refuse to tolerate errors because that's the only way that your peers 
learn to do better.

A more appropriate maxim in this instance is "be tolerant of your 
grandparents, but teach your children properly". There's no value to be 
gained in refusing to buy a second hand out of print book, because there 
is no feedback mechanism to cause that book to improve itself. 
Invalidating a v4 signature on a git commit from 2013 does not encourage 
github to get in a time machine and fix their commit history. It just 
makes users angry because you *broke their stuff*.

> I assume that with "a significant number of apparently valid but
> malformed signatures" you don't mean artifacts produced by openpgp.php,
> which I don't believe to be in widespread use.  Instead, I think you
> refer to the malformed signatures produced by Github.  If so, are you
> going to propose a similar paragraph for the malformed MPIs?

I considered it, but that would further delay the draft over a 
technicality that did not have any direct consequences for me or my 
implementation. gopenpgp is already lenient on this matter, so I can 
live with it.

> Both cases are contingent on reading RFC4880 as allowing lenient
> behavior, which to this day I fundamentally disagree with.

It does not matter whether you think RFC4880 allowed lenient behaviour 
or not. What matters is that enough other people thought that it did, so 
there are now permanent facts on the ground that you are powerless to 
undo. Neither of us LIKE this scenario. I'm just not prepared to punish 
github users for a historical error that a) they had no hand in, b) has 
no known security implications, and c) nobody, not even github 
themselves, can now fix.

I would much prefer to do this in a documented and mantainable way. But 
since it is now clear that no consensus is possible on any further 
changes of wording, I will no longer pursue it in this forum.

I withdraw my proposal.

A

v2.23.0 | Report a Bug | By Email